v1.1.0

fix: error: No more than 1 "s3_origin_config" blocks are allowed @Eyjafjallajokull (#359)

## what

• Fixed No more than 1 s3_origin_config blocks are allowed error when using multiple S3 origins with origin access identity enabled
• Changed for_each from iterating over var.s3_origins to using [1] to create a single s3_origin_config block

why

• AWS CloudFront only allows one s3_origin_config block per origin
• The previous implementation incorrectly created multiple blocks when multiple S3 origins were configured

references

fixes #325

to reproduce error

1. in examples/complete/main.tf#L102 replace origin_access_control with origin_access_identity
   https://github.com/Eyjafjallajokull/terraform-aws-cloudfront-s3-cdn/blob/96703043867c986ff3fc1550448118111a9f5659/examples/complete/main.tf#L102
2. terraform plan fails with the above error.

v1.0.1

🚀 Enhancements

fix: Resolve unsupported attribute error in S3 website block @jwadolowski (#358)

## what

Restore lookup() calls in main.tf to address the website_enabled = true use case that was broken when #340 replaced them with explicit variable calls to avoid silent default value assignments. Additionally includes corresponding module instances in the test suite.

why

website_enabled = true implies a reference to 2 mutually exclusive configurations defined as the local.website_config variable. In the default case, index_document, error_document, and routing_rules elements exist, but redirect_all_requests_to does not, which leads to the following error:

╷
│ Error: Unsupported attribute
│
│   on ../../main.tf line 325, in resource "aws_s3_bucket" "origin":
│  325:       redirect_all_requests_to = website.value.redirect_all_requests_to
│     ├────────────────
│     │ website.value is object with 3 attributes
│
│ This object does not have an attribute named "redirect_all_requests_to".
╵

Similarly, website_enabled = true combined with redirect_all_requests_to = "https://example.com" would result in missing references to the index_document, error_document, and routing_rules fields.

All in all, in this particular case, the lookup() usage is definitely justified and does not mean a silent/hidden injection of a variable default.

references

• resolves #354

v0.98.2

🤖 Automatic Updates

chore(deps): update terraform cloudposse/s3-log-storage/aws to v1.4.5 (release/v0) @[renovate[bot]](https://github.com/apps/renovate) (#351)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/s3-log-storage/aws (source)	module	patch	1.4.2 -> 1.4.5

---

Release Notes

cloudposse/terraform-aws-s3-log-storage (cloudposse/s3-log-storage/aws)

v1.4.5

Compare Source

🚀 Enhancements

fix: remove join calls on bucket arn + id usage @​carterdanko-dw (#​125)

what

• Initially put the wrong values for coditions, just needs to be a list
• Bucket should be single resource vs joining on a list.

references

issue #122

🐛 Bug Fixes

fix: remove join calls on bucket arn + id usage @​carterdanko-dw (#​125)

what

• Initially put the wrong values for coditions, just needs to be a list
• Bucket should be single resource vs joining on a list.

references

issue #122

v1.4.4

Compare Source

🚀 Enhancements

Issue-122/Values expect list of strings vs string @​carterdanko-dw (#​123)

what

Updating the sqs iam permissions, as the values expects to be a list of strings vs just the single string arn that is the output of the module.

why

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam\_policy\_document#condition-1 expects to be a list of strings, vs just the single string arn of the s3 bucket.

references

Github issue #​122

🐛 Bug Fixes

Issue-122/Values expect list of strings vs string @​carterdanko-dw (#​123)

what

Updating the sqs iam permissions, as the values expects to be a list of strings vs just the single string arn that is the output of the module.

why

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam\_policy\_document#condition-1 expects to be a list of strings, vs just the single string arn of the s3 bucket.

references

Github issue #​122

🤖 Automatic Updates

Migrate new test account @​osterman (#​119)

what

• Update .github/settings.yml
• Update .github/chatops.yml files

why

• Re-apply .github/settings.yml from org level to get terratest environment
• Migrate to new test account

References

• DEV-388 Automate clean up of test account in new organization
• DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
• DEV-386 Update terratest to use new testing account with GitHub OIDC

Update .github/settings.yml @​osterman (#​118)

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @​osterman (#​112)

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @​osterman (#​111)

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update release workflow to allow pull-requests: write @​osterman (#​110)

what

• Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

• So we can support commenting on PRs with a link to the release

Update GitHub Workflows to use shared workflows from '.github' repo @​osterman (#​109)

what

• Update workflows (.github/workflows) to use shared workflows from .github repo

why

• Reduce nested levels of reusable workflows

Update GitHub Workflows to Fix ReviewDog TFLint Action @​osterman (#​108)

what

• Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

• The ReviewDog action will comment with line-level suggestions based on linting failures

Update GitHub workflows @​osterman (#​107)

what

• Update workflows (.github/workflows/settings.yaml)

why

• Support new readme generation workflow.
• Generate banners

Use GitHub Action Workflows from `cloudposse/.github` Repo @​osterman (#​106)

what

• Install latest GitHub Action Workflows

why

• Use shared workflows from cldouposse/.github repository
• Simplify management of workflows from centralized hub of configuration

Add GitHub Settings @​osterman (#​104)

what

• Install a repository config (.github/settings.yaml)

why

• Programmatically manage GitHub repo settings

Update README.md and docs @​cloudpossebot (#​99)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

Update Scaffolding @​osterman (#​100)

what

• Reran make readme to rebuild README.md from README.yaml
• Migrate to square badges
• Add scaffolding for repo settings and Mergify

why

• Upstream template changed in the .github repo
• Work better with repository rulesets
• Modernize look & feel

v1.4.3

Compare Source

🤖 Automatic Updates

Update Terraform cloudposse/s3-bucket/aws to v3.1.3 (main) @​renovate (#​95)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/s3-bucket/aws (source)	module	patch	3.1.2 -> 3.1.3

---

Release Notes

cloudposse/terraform-aws-s3-bucket (cloudposse/s3-bucket/aws)

v3.1.3

Compare Source

Unfortunately, this change makes count unknown at plan time in certain situations. In general, you cannot use the output of compact() in count.

The solution is to stop using the deprecated policy input and revert to 3.1.2 or upgrade to 4.0.

🚀 Enhancements

Fix `source_policy_documents` combined with `var.policy` being ignored @​&#​8203;johncblandii (#&#​8203;201)

what

• Changed var.source_policy_documents to local.source_policy_documents so var.policy usage was still supported

why

• The ternary check uses var,source_policy_documents so var.policy being combined with var.source_policy_documents into local.source_policy_documents does not provide true for the ternary to execute

references

• https://github.com/cloudposse/terraform-aws-config-storage/pull/39

---

Update README.md and docs @​cloudpossebot (#​94)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the [repository job log](https://develo...

v1.0.0

feat: Backport cloudposse/cloudfront-cdn/aws improvements @jwadolowski (#340)

## what

Backport of the following cloudposse/terraform-aws-cloudfront-cdn improvements:

• cloudposse/terraform-aws-cloudfront-cdn#140
• cloudposse/terraform-aws-cloudfront-cdn#142
• cloudposse/terraform-aws-cloudfront-cdn#147
• cloudposse/terraform-aws-cloudfront-cdn#149

Detailed breakdown:

• aws_s3_bucket_cors_configuration is deployed only when at least one CORS origin is defined (examples/complete/minimal.tf fails if this isn't handled)
• don't use lookup() (or any other default variable value fallback method) - all defaults should be defined in the variables.tf file
• wrap optional variables with optional() and provide sane defaults (in most cases that'd be empty string/list/null or predefined AWS default when applicable, e.g. timeout values)
• default origin
  • add origin_keepalive_timeout and origin_read_timeout
• custom origin improvements
  • enable shield configuration
• custom s3 origins
  • allow for shield configuration
  • fix origin_access_control_id assignment (origin.value.s3_origin_config.origin_access_control_id doesn't exist, but origin.value.origin_access_control_id does)
• ordered cache improvements
  • gRPC support
• cookie block should set whitelisted_names param only when forward=whitelist (in all other cases, all and none, the whitelisted_names is automatically set to null)

why

Both CloudPosse CDN modules should stay in sync (feature-wise) and leverage the same set of improvements.

references

• includes #347 to re-generate docs after changes. #347 should get merged first

v0.98.1

fix(lambda@edge): Add support for doc auto-generation with atmos @jwadolowski (#347)

## what

README.md generation support with atmos CLI.

why

#342 replaced Makefile with atmos.yaml for the main module, but Lambda@Edge submodule got overlooked.

references

• #342

🤖 Automatic Updates

Fix go version in tests @osterman (#343)

## what - Update go `1.24`

why

• Error loading shared library libresolv.so.2 in Go 1.20

References

• https://sweetops.slack.com/archives/G014YEKDH4K/p1746672149263629
• golang/go#59305 (comment)
• #294

Replace Makefile with atmos.yaml @osterman (#342)

## what - Remove `Makefile` - Add `atmos.yaml`

why

• Replace build-harness with atmos for readme genration

References

• DEV-3229 Migrate from build-harness to atmos

v0.98.0

fix: terratest w/ go updates @oycyc (#337)

Not familiar with how Go works, but following the suggestions to update packages looks to fix the tests in this repository!

The commands I executed per @Nuru 's suggestion on Slack:

cd test/src
go get -u ./... [github.com/gruntwork-io/terratest](http://github.com/gruntwork-io/terratest) [github.com/stretchr/testify](http://github.com/stretchr/testify) [email protected]
go mod tidy

Slack thread here on CloudPosse: https://sweetops.slack.com/archives/G014YEKDH4K/p1748635698940509?thread_ts=1746672149.263629&cid=G014YEKDH4K

🚀 Enhancements

replace TLSv1.2_2019 with TLSv1.2_2021 as default policy @jamerply (#294)

## what

This PR updates the mimimum_protocol_version variable so that it defaults to TLSv1.2_2021 (the current recommended security policy recommended by AWS) instead of TLSv1.2_2019.

why

The most current security policy is no longer TLSv1.2_2019 but is TLSv1.2_2021.

references

See the "Security Policy" heading under the "Distribution Setting" section of the AWS CloudFront Documentation for further information.

v0.97.0

🚀 Enhancements

feat: Add support for custom Lambda@Edge policies @jwadolowski (#333)

## what

Execution role associated with Lambda@Edge comes with a hardcoded policy that enables write access to CloudWatch logs. This PR adds support for additional policies. It was implemented in a similar fashion to additional_bucket_policy from the parent module.

why

It's a fairly common situation that a Lambda@Edge function needs access to other AWS services/resources than CloudWatch logs. aws_lambda_function's role argument expects a single role ARN, therefore the only reasonable option is to append new policy statements to the IAM role created in scope of this module.

references

closes #261

v0.96.2

🚀 Enhancements

Set allowed and cache methods as non nullable @travis-reed (#324)

what

Set allowed_methods and cached_methods as non nullable

Setting nullable to false ensures that the variable value will never be null within the module. If nullable is false and the variable has a default value, then Terraform uses the default when a module input argument is null.

why

I want to be able to sometimes call this module with explicit allowed_methods and cached_methods and sometimes just use the module defaults.

As it stands, I cannot do that without making my default value match your default value. It would be better for the module to use its defaults when I pass in null

Right now I am hitting

Error: Missing required argument

  with module.fanx.module.sdp_assets.module.static_cdn.aws_cloudfront_distribution.default[0],
  on /tmp/terraform-data-dir/modules/fanx.sdp_assets.static_cdn/main.tf line 522, in resource "aws_cloudfront_distribution" "default":
 522:     allowed_methods            = var.allowed_methods

The argument "default_cache_behavior.0.allowed_methods" is required, but no
definition was found.

Which I can work around by setting a default on my side, but it isn't ideal behavior

references

• https://developer.hashicorp.com/terraform/language/values/variables#disallowing-null-input-values
• https://stackoverflow.com/questions/72213875/transformer-how-to-call-a-module-with-variables-as-default-value

Additional Notes

I wouldn't consider this a breaking change. Today, the behavior if you pass in null as the argument to the module you will get a failure as shown above. This makes passing in null possible without negatively impacting existing users.

Make sure tags are associated with Lambda functions(#332)

why

tags argument is not set at all which results in an empty tag list.

references

https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/v0.96.1/modules/lambda%40edge/main.tf#L78-L86

v0.96.1

🚀 Enhancements

memory and timeout vars for lambda@edge @mihaiplesa (#330)

## what

Allow to configure memory size and timeout for Lambda@Edge module.

why

These fields are not configurable now.

references

Resolves #331

v0.96.0

Adding origin_access_control_id to custom_origins @jjchiw (#326)

Adding Origin Access Control Id to Custom Origins

what

Custom Origins didn't have Origin Access Control

Implements this infrastructure

https://aws.amazon.com/blogs/networking-and-content-delivery/image-optimization-using-amazon-cloudfront-and-aws-lambda/

why

Custom Origins didn't have Origin Access Control if we wanted to invoke a lambda we were not able to do it

references

Summary by CodeRabbit

• New Features

  • Enhanced configuration options for custom origins in CloudFront with the addition of origin_access_control_id.
  • Updated variable definitions for custom_origins and s3_origins to include access control ID.

• Bug Fixes

  • Deprecated certain variables to streamline configuration and encourage best practices.

• Documentation

  • Updated documentation to reflect changes in variable structures and configurations.